I'm looking to get started in the world of Penetration Testing with the aim to make it my career. The company I work for has indicated that it may be able to help out with training and finances as part of my development as they are looking to bring some pen testing in house but while this is being sorted I'd like to put myself in the best possible position.

I currently work as a manual tester and am mainly involved in testing UNIX server software and applet based GUI's. I have a good working knowledge of UNIX (currently use Solaris) and SQL as well as VB. I have also dabbled with Linux at home.

So far I've browsed the forums here as well as looking at the Offensive Security and Remote Exploit websites. I've downloaded and just started playing with BackTrack 2 as well as begun readig a book on pen testing (can't remember the title). I've also ordered a book on TCP/IP (TCP/IP: Jumpstart by Andrew Blank) as I've read a good knowledge of networking is fundamental.

Can you suggest anything else in terms of websites/books/free or cheap online courses that I can be looking at that will help my progress. Also, can you recommed the best certsto be looking at for when I get something sorted through my work.

Well your starting off in a good place. There's alot of knowledge offered in this forum. I suggest taking the Offensive Security 101 v2 Course. As for some books that might help you out in furthering your study, you may want to check the Book Review Section offered on the forum. Links below:http://www.ethicalhacker.net/component/ ... oard,10.0/

i found that if you want to make Pentesting your main carreer, you need some MAJOR experience with all and yes i mean ALL technologies out there.

The serious Consultants have 5-10 years experience minimum and have all certs thinkable.

I think you just scratched the surface in knowledge you are trying to aquire. My advice is make a long term plan and stick to it and get a firm base FIRST. TCP/IP books are very boring to read. My experience with Cisco courses is very good. You start off with a CCNA cert and is very accesible for everyone and you get tons if detailed info on TCP/IP and other major protocols. To be a security expert you need expert knowledge on major operating systems. And SQL seems to be THE html of the future. lol

I hope you dont think im too pessimistic but there is a lot of info out there to assimilate....lol.

This might seem like I am being sarcastic at first glance, but I am not at all. Perhaps the very first skill to learn in hacking is Google! Seriously. If you really know how to use it beyond the norm, its amazing what you can find. Not only is there so much info available on how to hack, but you can locate a large amount of sensative data. So much so that Bill Gates had mentioned one time Google should be out lawed! You can even locate vulnerable servers to attack.

Kev's 100% correct. You'd be suprised all the information you could find on Google. Along with the link that Kev provided, you may want to look into the book entitled "Google Hacking for Penetration Testers" - I've provided a link below:http://www.amazon.com/Google-Hacking-Pe ... 1931836361

Not to get nitpicky, but I wouldn't want someone mislead. SQL really has nothing to do with HTML. SQL is a database technology (MS-SQL, MySQL, Postgresql, etc) and lives on the back end. Data in SQL is accessed through programming languages such as PHP, Perl, Python, Ruby, etc. HTML and SQL actually don't communicate at all. Code can be embedded (server side includes) in HTML to poll SQL databases, but HTML has nothing in the markup language to work with databases.

Rance while you are correct in your explanations of HTML and SQL I think you missed the point. I think the assertion is that with so many dynamic web sites pulling from back end databases SQL information is replacing flat HTML web page development. If I got your point wrong Kabal let me know.

thx Bigwhiff, that was exactly what i meant.lol. I almost thought i was on the wrong forum. ;-)Even HTML can be generated straight from the database. Dont forget all kinds of database-injection techniques and cross-site-scripting

Last edited by kabal on Thu Feb 21, 2008 5:31 pm, edited 1 time in total.